ProfitPress Mega CDROM2 Shareware Freeware (MSDOS)(1992)(Eng)

home *** CD-ROM | disk | FTP | other *** search

/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4DBF.ZIP / PCV.DOC < prev next >

Wrap

Text File | 1991-06-05 | 39.4 KB | 941 lines

PC-Virus Index Version 4.00 -------------- (c) Copyright 1991 Bryan Clough PC-Virus Index TABLE OF CONTENTS 1. Introduction ......................................... 1 1. Copyright ....................................... 1 2. Public Domain Dedication ........................ 1 3. Disclaimer ...................................... 2 4. Acknowledgements ................................ 2 5. Registration & Licensing ........................ 2 6. Contacts ........................................ 3 2. The Virus Identification Problem ..................... 4 3. Installation & Updates ............................... 5 1. Installation .................................... 5 2. Self Check ...................................... 5 3. Updates ......................................... 5 4. Starting Up ..................................... 5 4. The Opening Screen ................................... 6 1. Start ............................................ 6 2. Browse Options .................................. 6 3. Re-Index ........................................ 6 4. Text ............................................ 6 4. Quit & Information .............................. 6 5. Virus Profiles ....................................... 7 1. Names ........................................... 7 2. Sizes ........................................... 7 3. Country, Date, Strains .......................... 8 4. Effects ......................................... 8 5. Category ........................................ 8 6. Re-Sorting the Records .......................... 8 6. Virus Behaviour ....................................... 9 1. Diskette Boot Sector ............................. 9 2. Hard Disks ....................................... 9 3. Master Boot Sector ............................... 10 4. Partition Boot ................................... 10 5. COMMAND.COM ...................................... 10 6. COM Files ........................................ 10 7. EXE & Overlay Files .............................. 10 8. Other Executables ................................ 11 9. Stealth, Mutating, Resident & Overwriting ........ 11 7. Detection & Disinfection .............................. 12 8. Navigating the Database ............................... 13 1. Scroll ........................................... 13 2. Find ............................................. 13 3. Search Techniques ................................ 14 4. Goto ............................................. 14 9. Other Features ........................................ 15 1. Warning Messages ................................. 15 2. Reports .......................................... 15 3: VI-Guide ......................................... 15 PC-Virus Index - Page 1 1. INTRODUCTION --------------- PC-Virus Index is an up-to-date and authoritative knowledge base on PC computer viruses which, uniquely, categorizes them by families as their relationships become known. It also lists the various strains, characteristics and sizes together with several leading scanners that might offer positive detection and, in some cases, also disinfection. Warning messages are also posted, as appropriate and many of the records are linked directly to one of the text reports. There are over 100 reports which provide both a wealth of technical information as well as background material. Users are also provided with an indexing facility that allows them to sort the records in the order of their choice. It is maintained daily with reports from recognized experts throughout the world and it is distributed monthly mainly through virus researchers and computer security specialists. This release categorizes 350+ records which describe 800+ strains of virus, many of which have yet to be reported by any other provider of information. Importantly, it also lists 'phantom viruses', typically trojans that find their way into some scanners and then scare the pants of everybody for evermore. It also notes where false alarms are having an effect. As the virus population increases (it has doubled every six months over the past 4 years), so does the potential for false alarms. 1. COPYRIGHT The program PCV.EXE, the database PCV.DBF, the method of categorizing and listing viruses and this document are (c) Copyright 1991 Bryan Clough and may not be used by businesses, corporations, agencies, government or professional bodies without a site licence. The database and program may be freely distributed in UNMODIFIED FORM to any other individual or organization but modified copies of these files may not be distributed and information from these files may not be included in any listing, program, magazine article or any other published work without written permission from the authors. 2. PUBLIC DOMAIN DEDICATION The text reports (*.rpt) which are separately provided for use with or without PC-Virus Index have been collected and collated from a variety of sources and are presumed to be in the Public Domain. All the text (*.rpt) reports that have been specifically prepared by the authors and included in this collection are hereby dedicated to the Public Domain. This document is specifically excluded from the dedication. PC-Virus Index - Page 2 3. DISCLAIMER The material contained in PC-Virus Index has been prepared for general information of the user and should not be used or relied upon for specific applications without first securing competent advice. While the material is believed to be technically correct, the Publishers, Editors, Authors and its Contributors do not represent or warrant its suitability for any specific use and assume no liability or responsibility of any kind in connection with the information herein. The anti-viral products listed have been chosen because of the integrity of the developers but their inclusion is not an endorsement of their suitability either generally or specifically. Users are strongly recommended regularly and systematically to make backup copies of all disks, as the best defence against virus action and other disruptions. 4. ACKNOWLEDGMENTS The authors thank all contributors and particularly: Jim Bates (Virus Information Service) Vesselin Bontchev (Bulgarian Academy of Sciences) Ian Leitch (London School of Hygiene & Tropical Medicine) Andy Sharp (Symantec (UK) Ltd) Fridrik Skulason (Frisk Software International) Alan Solomon (S&S International) Dan McCool (Virus Help Europe) Extracts from The Computer Virus Catalog are with the kind permission of Prof Dr Klaus Brunnstein, Faculty for Informatics, University of Hamburg, Schlueterstrasse 70 D2000 Hamburg 13, Germany. Other sources include: McAfee Associates, The Virus Bulletin and Virus-L. 5. REGISTRATION & LICENSING The unregistered versions of the program and database are sub-sets of the registered versions and also contain a start-up screen with a 30 second reminder. Registered versions are personalized and entitle their users to receive the full, latest versions and updates. PC-Virus Index is totally independent of vendor sponsorship and looks to users for their support through either registration or licensing. PC-Virus Index - Page 3 6. CONTACTS To become a Registered User with a site licence (£ 195, US$ 395, DM 595) for the next twelve months, please contact: Bryan Clough 19 Walsingham Road Hove BN3 4FE United Kingdom VOICE: +44 (0) 273 773959 FAX: +44 (0) 273 778570 PC-Virus Index - Page 4 2. THE VIRUS IDENTIFICATION PROBLEM ----------------------------------- For the most part, developers of anti-viral products try very hard to rationalize on virus names, but it isn't easy. Generally, each scanner uses its own 'search string' with the advantage that 'hacks' designed to evade one scanner will probably be found by one of the others. The disadvantage is that those that don't find the hack will then have to find a 'new' virus and possibly also a new name. Around 75% of 'new' viruses are variants of already known ones. The problem is compounded when a suspicious program is classified as 'a virus', even before its ability to replicate has been confirmed. But, some viruses do not work on all machines, or on all versions of DOS, or on all media and one virus even has to have its name changed before it becomes infective. So it often takes time before a verdict is reached. There is also the never ending problems of false alarms that the developers of scanners have to contend with. It is one thing to find a search string that will find the virus but how can it possibly be tested out on all the hundreds of thousands of programs that it might have to meet 'out in the field'? PC-Virus Index lists all reported viruses and runs correlation checks on the information, looking for relationships and testing a wide range of scanners against a large and continually growing library of viruses. It is an ongoing process of rationalization and harmonization, as various reports are reconciled. It is not the aim of PC-Virus Index to name viruses, but simply to record the usage of names. And as a preferred name emerges, names that have fallen into disuse will be discarded, particularly when a virus has become well known throughout the research community. So don't use PC-Virus Index as a source for every obscure name that has ever been ascribed to a virus, but as a source for generally accepted names, succinct profiles and detailed technical information when it is required. As you will see when you use PC-Virus Index, the method of categorizing viruses by record within families brings a much needed sense of order to a largely chaotic and totally unproductive activity which, sadly, is becoming ever more popular in certain parts of the world. We hope that the information now provided will be of practical use in helping to combat this growing nuisance. To the virus writer or would-be virus writer who is reading this, our request is: please stop! It's a stupid thing to do and legislation is being put in place that means that someone will soon be going to jail. It could be you. PC-Virus Index - Page 5 3. INSTALLATION & UPDATES ------------------------- 1: INSTALLATION PC-Virus Index is delivered in three archived files: a: PCVI-V4.ZIP which includes: PCV.EXE - the program file, Version 4.0 PCV.DOC - this document KEY.DBF - the key file b: PCV-Dnnn.ZIP which includes: PCV.DBF - the database file with nnn records c: PCV-Rnnn.ZIP which includes: *.RPTS - nnn reports 2. SELF CHECK All anti-virus software is a prime target for virus writers, so please take care by obtaining your copy from either an authorized or a reputable source. As an added protection, the program has a self- checking feature, which is designed to detect accidental modification. 3. UPDATES When an updated database file and reports are received, these should be extracted from the archive and copied into the directory being used. The new database file will then be listed among the FILE options and should be opened AND SORTED before being 'browsed'. 4. STARTING UP With all the files in one directory (say PCV), type PCV [Enter]. This should bring up either the Unregistered screen or the cascading PC-Virus Index display. Hitting any key then brings up the Opening Screen. PC-Virus Index - Page 6 4. THE OPENING SCREEN --------------------- ┌──────────────────────────────────────────────────────────────────────────────┐ │ Start Browse Options Re-Index Text Quit │ │─────────────────────────┌──────────────────────┐─────────────────────────────│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│Browse the Records │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒└──────────────────────┘▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ PC-Virus Index Ver 4.00 ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ (c) Copyright 1991 Bryan Clough ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒ Your name will be entered here after registration ▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │──────────────────────────────────────────────────────────────────────────────│ │ Datafile in use - Memory available 258 │ │ Current Directory - C:\PC-VIRUS Free disk space - 16,533,504 │ └──────────────────────────────────────────────────────────────────────────────┘ From the menu bar at the top select one of the options either by entering the first letter or through use of the arrow keys, followed by [Enter]: 1. START You can open any of the PCV database files listed but you need to open one before you can use the Index. At first, you will only have one PVC.DBF file to choose from. 2. BROWSE will then take you into the Browse Screen. 3. RE-INDEX allows you to sort the records to the order of your choice. 4. TEXT allows you to read any of the text files in the PCV directory, including this document and the *.rpt reports, if you are using them. 5. QUIT or read one of the information screens listed. Registration information, the datafile in use (if any), the Current Directory, Memory Available (PCV needs 512KB+) and Free Disk Space (PCV requires 1MB+) are also shown. PC-Virus Index - Page 7 5. VIRUS PROFILES ----------------- At the very top of the screen is the menu bar, as before, but most of rest of the top half of the screen is dedicated to providing a succinct profile of each virus. On-screen help which summarizes the Navigational Options and the use of the Check Marks is available through use of the F1 function key. Scroll Find Goto Report Warning VI-Guide Quit ┌──────────────────────────────────────────────────────────────────────────────┐ │ Name: 4096 v: WHALE aka FISH-9, MOTHER FISH │ │ │ │ Size: 9216 bytes │ │ Country: GERMANY Date: 31/08/90 Strains: 33 │ │ │ │ Effects: Versions so far seen do not appear to work or, at best, to slow │ │ systems down very considerably. One of the largest and most │ │ complex viruses reported. This appeared shortly after FISH-6 and │ │ it was initially reported that this virus could modify FISH in │ │ some way, but this has not been demonstrated. Mutates to │ │ produce 33 different versions. │ ├───────────────────────────────────────────────┬──────────────────────────────┤ │ Category: File Virus │ │ ├───────────────────────────────────────────────┤ √ Dr Solomon's Toolkit │ │ Boot Sector: √ Command.com √ Stealth │ √√ Frisk's F-PROT │ │ Diskette √ COM Files √ Mutating │ √√ McAfee Associates │ │ HD-Master √ EXE & Ovl √ Resident │ √√ Norton Anti-Virus │ │ HD-Part'n Other Exec Overwrites │ √ Jim Bates's Viscan │ ├───────────────────────────────────────────────┤ √ Thunder Byte Scanner │ │ New Record √ Report √ Warning │ │ └───────────────────────────────────────────────┴──────────────────────────────┘ (+) Next (-) Prev Record Press F1 for Help Record No. 136 The profiles show the following information as it becomes available: 1. NAME This field shows the name(s) which have been given to this particular virus (or other dubious program). The first name is either its 'preferred name' or its 'family name' followed by any other names that are still in common use. Confusing descriptors like II, IIb, or -2 have been eliminated as far as possible because the fuller descriptions now available to users of PC-Virus Index make many of them redundant. Superseded aliases that have had only limited acceptance have also been excluded. 2. SIZE The virus sizes that have been reported are listed. Several viruses have the same size, in some cases as a matter of accident and in other cases by deliberate design. PC-Virus Index - Page 8 3. COUNTRY, DATE, STRAINS Where the country of origin of a virus is known it is noted together with the date first reported and the number of strains. The strains might come from anywhere, so these three fields are not necessarily associated. In several cases, the number of strains shown almost certainly understates the actual number in existence. 4. EFFECTS A brief overview is provided on each virus as soon as possible but sometimes it takes weeks for information to filter through on what any particular virus does. Not all the effects are known but most viruses can cause damage of some sort, many quite deliberately. At the bottom left of the screen, the behaviour of each virus is recorded with check marks, as follows: 5. CATEGORY & SORT ORDER All the records have been categorized and (by default) are sorted by name within category. The categories are: Dual: Boot Sector & File Virus Boot Sector Virus File Virus Trojan Joke, etc The first three categories describe the areas targeted by the viruses. Some trojans and jokes are also listed, where these have been either been mistaken for viruses or are in some way associated with them. A TROJAN is a program that pretends to do something useful while actually causing damage and it generally relies on the preparedness of a user to try an 'unknown' program. Unlike a virus, a trojan is not able to reproduce itself but there are now trojans that drop viruses and viruses that drop trojans. JOKES: Some 'viruses' simply turn out to be jokes and whether a malicious program is a joke or a trojan is largely a matter of whether or not you are on the receiving end. 6. RE-SORTING THE RECORDS The records can be resorted to the order of your choice by use of the RE-INDEX option, provided on the Opening Screen. When delivered, PC-Virus Index has been sorted by Name within Category and will build an index for itself accordingly. PC-Virus Index - Page 9 6. VIRUS BEHAVIOUR ------------------- Underneath the Category field, there are further fields which show which files and sectors a virus will attempt to infect. Not so long ago viruses infected either Boot Sectors or Files, but now an increasing number try to infect both, making them potentially much more infectious and also more difficult to clear out. Some viruses with the capability of infecting both files and sectors have not been generally recognised as such (eg FLIP and LIBERTY) which may have extended their opportunities to propagate. You will be able to pick out the infection targets easily as you navigate through PC-Virus Index, thanks to the check marks which vividly present this information. The target areas for virus infection are: 1. DISKETTE BOOT SECTOR This is the Boot Sector that resides on every formatted diskette. Please note that diskettes do not have to be 'bootable' (ie with the hidden system files) in order to be infected and infective. Nor does a system have to be successfully booted in order for infection to pass: an attempt to boot is sufficient even if the 'Non System Disk ....' message results. 2. HARD DISKS There are always at least two Boot Sectors on a Hard Disk and they get called a variety of names and all are confusing, perhaps sometimes causing the wrong treatment to be applied. Irrespective of whatever any one else calls them (and nobody agrees!), we have called them: 3. MASTER BOOT SECTOR This is located at Head 0, Cylinder 0, Sector 1 - the first physical sector on the Hard Disk, what Norton calls 'absolute'. It contains the Partition Table which is system specific and because it is not addressable through DOS, users typically do not have backup copies. This sector and possibly also adjoining sectors are sometimes used by computer manufacturers for 'disk signatures' without which the hard disk will not function. PC-Virus Index - Page 10 This sector can be modified by FDISK which usually also rewrites many other sectors as well and by a 'low-level' format using DEBUG or disk management software. These are all destructive processes and a low-level format should only be undertaken by someone who knows the required procedure (which varies depending on controller card) and parameters (which vary with each model of hard disk). An infection on this sector is therefore bad news and the most widespread boot sector viruses (STONED & JOSHI) target this area. Disinfection is possible in many cases provided that the infection has been positively identified (eg through checksum verification) rather than just generally indicated. DOS FORMAT or any other 'high level' formatter will not disinfect viruses that have positioned themselves in this sector. 4. PARTITION BOOT Every Hard Disk also has at least one partition which will have been described on the Partition Table in the Master Boot Record. One of the partitions will also have been specified as the active or DOS bootable partition, usually Drive C. Clearing a virus from this sector is simply a matter of using DOS SYS but you must boot from a known clean diskette and you must use the right version of DOS. DOS versions earlier than 4.0 also require the system files to be in a special position. Either a potentially fraught 'low-level' format or a less demanding 'high-level' format are unnecessary overkill for disinfecting viruses of this type. 5. COMMAND.COM The COMMAND.COM file is a popular target for viruses, some of which hide themselves inside so as not to add to its size. This means that, it may not be possible to disinfect this file in which case, deletion and replacement will be needed. 6. COM FILES COM files are executable programs ending with the extension .COM and they are the most popular target of virus writers because they are both very common and relatively simple in structure. Provided that a file has not been overwritten, then disinfection is likely. COM files are a special type of EXE file and they cannot be larger than 64KB, for example. Viruses are therefore often selective about the sizes of files that they will infect: avoiding the small ones because they might be too obvious and the larger COM files where, for example, they might exceed the size constraint. PC-Virus Index - Page 11 7. EXE & OVERLAY FILES EXE files are executable programs ending with the extension .EXE. These are more complicated than COM programs and often use 'overlays' which they bring into use when required. The overlays are also executable programs and they are given a variety of extensions, dependent on the whim of the software developer. Overlays do get infected by viruses but this seems to be a function of how the program was written rather than how the virus was targeted. Most virus detectors scan only COM & EXE files by default, which makes sense because these are the principal targets and this speeds things up considerably. However when a virus infection is found, all files should then be scanned as a matter of routine. Note, it is not generally possible to scan Overlay files globally because of the variety of suffixes in use. 8. OTHER EXECUTABLES In theory, any executable file can be infected by a virus and a few have been found which target SYS and BAT files. 9. STEALTH, MUTATING, RESIDENT & OVERWRITING VIRUSES Check marks against these fields have the following significance: STEALTH - is a term that is loosely applied to viruses that, like the 'Stealth' bomber, have been designed to evade detection. Some viruses are considered to be 'a bit stealthy' and there is no firm rule that can be rigorously applied. MUTATING - is used to describe those viruses that make every infection look different through some form of variable encryption. However all programs mutate in the sense that they can become corrupted in the copying process and their behaviour then becomes unpredictable. RESIDENT - means that the virus goes 'memory resident'. Most do but some work by 'direct action' and a few do both. Memory resident types can be the most troublesome, generally being more infectious and also sometimes conflicting with other programs in memory. All Boot Sector Viruses go 'resident'. OVERWRITING VIRUSES actually overwrite their hosts and this often stops the host from working but some can now hide inside a file. In either case, it means that disinfection may not be possible. PC-Virus Index - Page 12 7: DETECTION & DISINFECTION --------------------------- The panel on the bottom right of the screen is provided to list up to six anti-virals scanners and also to identify those that offer a disinfection option, where feasible. Each anti-viral earns a check mark if it can detect some but not necessarily all of the strains on the record and it earns two check marks if it can also offer disinfection. Tests show that no one scanner can be relied upon to find every strain of every virus listed, particularly as new 'hacks' keep appearing which have been specifically targeted at one or more of the scanners. Similarly, disinfection is not always feasible even after successful detection, possibly because the virus or its target has not behaved predictably or because a positive identification has not been made. In case of doubt check with the supplier. No scanner can positively detect a totally new virus except as a matter of chance but some perform better than others at picking out 'unknown' boot sectors on diskettes and some also provide generic disinfection on diskette boot sectors. Variants of already known viruses can often be identified as a 'possible' infection if 2 or 3 judiciously chosen scanners are used. False alarms are on the increase reflecting the growth in the number of viruses that are now known. Consequential action to a false alarm can sometimes cause more damage than the virus concerned. Attempts to disinfect systems that have, or are suspected of having, viruses can also cause more damage than the virus concerned. Positive identification of a virus is a pre-requisite to determining the appropriate remedial actions needed. Some files get infected by more than one virus or more than once by the same virus. When disinfecting, have you cleared out all the layers? And are there any viruses lurking in archived files, out of sight of the scanners? PC-Virus Index - Page 13 8. NAVIGATING THE DATABASE -------------------------- The navigational options are: Scroll Find and Goto (from the menu bar) + & - (noted on the bottom bar) and the ESC (Escape) key which generally takes you back to where you were. These work as follow: 1. SCROLL Hitting [Enter] will bring up a Window where the names of the first seven records will be displayed. You can now use the arrow keys quickly to 'scroll' through the names on all the records. If you see a record that you would like to examine, hit [Enter] and you're there. Or you can 'escape' from the Window by using the Escape key. The keys: + = Next Record - = Previous Record allow you to step through the database, forwards or backwards, one record at a time. Or by holding either of these keys down, you can quickly 'thumb' back and forth through the records. Unlike SCROLL, these keys allow you to see all the information presented on screen for each record. 2. FIND Hitting [Enter] brings up another Window where you can 'Select Search Field' from one of the following: Name Country Size Effects, lines 1 to 6 You can select any of these through use of the arrow keys followed by [Enter] and you then get a further Window which asks you to pick one of the search criteria: equal to, greater than, less than, greater than or equal to, less than or equal to, not equal to, contains The 'contains' option is particularly useful because this allows you to do a 'partial string search' which means that you do not have to over-precise in specifying the word that you are searching for. This particular Window revolves continuously, so you can go round and round until you have made your choice with the [Enter] key. This brings up a further Window which asks you to enter the 'word' (which may be a number) that you are seeking. Type this in and enter. PC-Virus Index - Page 14 3. SEARCH TECHNIQUES There are two viruses called GREEMLIN and ARMAGEDON THE GREEK, both presumably misspellings for GREMLIN and ARMAGEDDON. If you had predicated your searches on the 'correct' full spellings, you would not have found them. However using the 'contains' option and searching for ARM immediately brings up ARMAGEDON, whilst searching for GRE also brings up ARMAGEDON because it has found 'GRE' in GREEK. Hitting [Enter] again brings up another box: Continue from last search? Continue.. New Search The 'Continue' box is already highlighted so if you hit [Enter] again, you will then find GREEMLIN. And, if you continue .... OGRE, GREEN CATERPILLAR and so on. Obviously, however, a search for GREEM would have brought up the required record straight away, if you already knew the spelling. You can also search by SIZE, by COUNTRY and by EFFECTS. As you will see, there are 6 lines allocated for 'effects' and if you choose to search by effects, then you may have to search each of the 6 fields before you exhaust all the possibilities. In practice, the effects are often included on Line 1. Searching the SIZE field with numeric options (eg 'is greater than', 'is less than' etc) may not produce the answers that some users might expect, because it is a text field. The first number is shown normally for sizes larger than 1,000 and smaller than 10,000 bytes but sizes smaller than 1,000 are prefixed with '0' or '00' and sizes larger that 9,999 are prefixed with a » character. This ensures that the records will be properly sorted by size, despite the choice of a text field. The final navigational option is: 4. GOTO All the records have a Record Number which is shown in the bottom right corner of the screen. You might be looking at record # 250 and then decide to search for another one but if you plan to return to # 250 then GOTO gives you the fastest route, if you remember it. It is also a great way to get quickly to the first record. PC-Virus Index - Page 15 9. OTHER FEATURES ------------------ The following options are also on the top menu bar: 1. WARNING A special message is posted on several records to warn of particular hazard(s) identified with the virus concerned. When a warning has been posted, a Check Mark is placed against the 'Warning' sign on the bottom of the screen. 2. REPORT Many of the records are directly linked to one of the text reports which are provided as a separate file. If the virus has been linked to a report, as indicated by a check mark, then the report can be read by highlighting REPORT on the menu bar and [Enter]. 75% of all viruses reported are variants of already known viruses, so do not expect an individual report against each and every record. Also don't be surprised if you ask for the PING PONG report and you find references to BOUNCING BALL and ITALIAN. In the world of computer viruses, every virus that 'travels' picks up a variety of names and PC-Virus Index will help you to zero in on the one virus that the various scanners and reports are actually referring to, even if they all use a different name! 3. VI-GUIDE This provides an index to the eight records that have been used to link into text files that describe the options available and the terms used. ********************** We hope that you find PC-Virus Index of practical help in tackling the nuisance caused by computer viruses and please remember that the best protection against most disruptions is provided by regular backups, systematically checked for restorability.